Follow the author of this article

Follow the topics within this article

Fraudsters are taking advantage of a security flaw in mass-text systems which allows them to send messages to victims that appear to have come from their bank.

Companies that send bulk texts to customers tend to use intermediaries who process the messages on their behalf. These intermediaries input the sender’s name, and networks categorise the texts using that name.

But scammers are able to hijack this process by sending messages using the name of a company, such as a bank. Networks will recognise you have received messages from the bank before and put the fraudulent message into the same text chain.

Research by consumer group Which? revealed that one in three people who text have received a scam message in the past six months. Of those people, one in 14 had lost personal data, money or both to the scammers.

Adam French, from Which?, said: "We found frightening numbers of people are receiving scam messages, leaving them vulnerable to the loss of their hard-earned cash and also sensitive personal information. Firms must take action to introduce the systems needed to stop these messages reaching people’s devices."

Often scammers pose as a member of a bank’s fraud team, urging the recipient to call a number to protect their account, then stealing personal details and money.

Bank industry insiders have said networks could do more to prevent this type of fraud. Some have agreements with banks that they will block these messages unless they come from a company’s approved messaging partner.

Hamish MacLeod, of trade body Mobile UK, said: “Protecting customers from fraudulent mobile scams is and remains a top priority for all operators, and they continue to invest in new measures to help monitor and protect them.”

A spokesman for EE, Britain’s largest mobile network, said: “We’re working closely across the banking industry and other networks as part of a task force to help tackle this issue.”

The next biggest is O2. A spokesman said it was the first to trial identifying and blocking fraudulent messages not from official messaging partners. She added: “We continue to undertake extensive work to identify fake message headers in order to prevent them from appearing in genuine message chains.” Suspicious messages can be sent to 7726 for investigation.

Suzanne Raftery, of fraud recovery service Requite Solutions, said this should be stopped, and described the networks as “fraud enablers”.

She added: “Mobile phone networks are an enabler of fraud. Of course they should be doing more but this is just a small part of the problem.”

A spokesman for the National Cyber Security Centre, which is part of GCHQ, said: “The NCSC is aware of text message phishing, known as ‘smishing’, and we are working with our partners to reduce it.”